There are only a couple of security certifications that holders are sure to attach to their names on a business card. One of them is Certified Information Systems Auditor (CISA).
The CISA certification is right up there with Certified Information Systems Security Professional (CISSP) as the crÈme of the security certifications.
While the CISSP is more technology focused, the CISA is geared toward information assurance, said Peter H. Gregory, a consultant with the Woodinville, Wash.-based HartGregory Group and someone who holds both certifications. The CISA certification is focused more on business processes.
"To me, it signals the beginning of competence in both auditing and IT auditing, and it's proof that I can learn it, given the opportunity," said Leslie Van Sickel, a CISA who works for the Kansas Department of Social and Rehabilitation Services in Topeka. "Several people have been impressed, which is nice, of course, but mostly I got it for myself."
As its name implies, the biggest component of the CISA certification is auditing. "Historically, a lot of people with CISAs you met were in IT auditing with Big Six firms or in banking and finance," Gregory said.
Generally, companies might want their IT auditors and any consultants who do similar work to have the certification. People with CISSPs may want to consider the CISA because the certifications are complementary, Gregory said. "You would have good understanding of security but also of business process," he said.
The Information Systems Audit and Control Association has administered the CISA certification for the last 24 years. Today there are 29,000 CISAs worldwide. More than 10,000 people took the exam this year, though not all passed. It isn't easy. Unlike other certifications, the CISA exam is only given once a year.
"It was a stinker," Van Sickel said. "Several people there were taking it for the second time."
Exam questions focus on the following areas:
- Management, planning and organization of IS (11%)
- Technical infrastructure and operational practices (13%)
- Protection of information assets (25%)
- Disaster recovery and business continuity (10%)
- Business application system development, acquisition, implementation and maintenance (16%)
- Business process evaluation and risk management (15%)
- The IS audit process (10%)
Generally, the CISA exam questions are situational, Gregory said. In other words, the taker needs to have some experience with auditing and the other subjects covered by the test. A question may begin: "'An organization wants to perform an audit of process blah, blah, blah,'" he said.
After passing the exam, the applicant must then certify they comply with the experience requirement of at least five years of "professional information systems auditing, control, or security work experience (as described in the job content areas)." A year of information systems or financial or operational auditing experience can be substituted for one of the five years.
An associate's degree can also count toward one year of experience. A bachelor's degree counts for two years.
The Information Systems Audit and Control Association is pretty strict when it comes to experience, Gregory said. "It's not enough to pass the test. Your employer has to sign off on your experience," he said.
Recipients also need to abide by a code of ethics.
Robust review materials are available from the Information Systems Audit and Control Association. At least one review book will be available by June of next year when the test is administered next, Gregory said.